Krebs on Security

In-depth security news and investigation

Posts Tagged: malware

Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands.

Over the weekend, KrebsOnSecurity received a tip from an anonymous reader who said Teavana had suffered a data breach that exposed credit and debit card information. A source at a major U.S. credit card issuer confirmed that the card brand has seen fraud rates indicative of a breach emanating from virtually the entire Teavana franchise, which spans more than 280 stores nationwide. Separately, a federal law enforcement official who asked not to be named said agents were indeed investigating a possible breach at Teavana.

On Sunday, I sent an inquiry to Teavana’s public relations folks. Today, I heard back fromStarbucks spokeswoman Jaime Riley, who said Starbucks “takes its obligation to protect customers’ financial information very seriously,” and that the company “has safeguards in place to constantly monitor for any suspicious activity.” But she said the company doesn’t comment on ongoing investigations.

“In the normal course of business, we are contacted by card brands and bank partners to participate in requests to ensure the integrity of all systems, and we participate fully in these requests,” Riley said. “If and when issues are ever substantiated, we will take action to notify and support customers in the most appropriate way possible.”

A source at yet another big debit and credit card issuer said his fraud team became aware of the problem in early March 2013, when the financial institution began seeing a spike in fraudulent charges via counterfeit cards that were being used to buy high-dollar gift cards at Target retail locations.

The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.

On Feb. 7, KrebsOnSecurity heard from two different readers that a subdomain of the LA Times’ news site (offersanddeals.latimes.com) was silently redirecting visitors to a third-party Web site retrofitted with the Blackhole exploit kit. I promptly asked my followers on Twitter if they had seen any indications that the site was compromised, and in short order heard from Jindrich Kubec, director of threat intelligence at Czech security firm Avast.

Kubec checked Avast’s telemetry with its user base, and discovered that the very same LA Times subdomain was indeed redirecting visitors to a Blackhole exploit kit, and that the data showed this had been going on since at least December 23, 2012.

Contacted via email, LA Times spokeswoman Hillary Manning initially said a small number of users trying to access a subdomain of the site were instead served a malicious script warning on Feb. 2 and 3. But Manning said this was the result of a glitch in Google’s display ad exchange, not a malware attack on the company’s site.

“The LA Times, along with dozens of other Google ad exchange users including the New York Times, the Guardian, CNET, Huffington Post and ZDNet, were, to varying degrees, blocked by malicious script warnings,” Manning wrote in an email to KrebsOnSecurity. “The impacted sections of our site were quickly cleared and there was never any danger to users.”

Unfortunately, Avast and others continued to detect exploits coming from the news site. Manning subsequently acknowledged that the Google display ad issue was a separate and distinct incident, and that the publication’s tech team was working to address the problem.

Malicious code served by offersanddeals.latimes.com

It’s not clear how many readers may have been impacted by the attack, which appears to have been limited to the Offers and Deals page of the latimes.com Web site. Site metrics firm Alexa.com says this portion of the newspaper’s site receives about .12 percent of the site’s overall traffic, which according to the publication is about 18 million unique visitors per month. Assuming the site was compromised from Dec. 23, 2012 through the second week in February 2013, some 324,000 LA Times readers were likely exposed to the attack.

Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach.